Information on the Processing of Personal Data of Suppliers

Pursuant to Articles 13 and 14 of EU Regulation 2016/679

1. DATA CONTROLLER and CONTACT DETAILS
   The Data Controller is F.C.R. Industrie S.r.l. Registered Office: Corso Vittorio Emanuele II, 15 – Milan (MI) – Administrative Office: Via Tonale 18 – Vittuone (MI) Company contacts: email fcrindustrie@fcr.it – telephone +39 02 9031 0245; Privacy Contact: privacy.ind@fcr.it
   
   
2. PERSONAL DATA SUBJECT TO PROCESSING
   As part of contractual relationships and related management activities, the Data Controller may process the following categories of personal data:
   • Supplier’s personal and identification data: company name, tax code, VAT number, registered office and/or operational address, telephone and electronic contact details (email, certified email), bank details (IBAN), etc.
   • Data of relevant company personnel: name, surname, role, email and telephone contact details, if necessary for managing the contractual relationship
   • Data of the professional (in the case of individual supplies, consultancy, or services provided by a commercial agent): identification and contact details, relevant CV information, professional insurance coverage details, degree certificates and/or specializations, qualifications
   • Data relating to the supplier’s contracted personnel: identification data, personal details, and, where applicable, financial information, if processing is necessary for workplace health and safety purposes pursuant to Article 26 of Legislative Decree 81/08 and subsequent amendments
   • Technical data: In the case of IT suppliers and/or those responsible for managing digital systems and infrastructures, access logs, authentication identifiers, technical logs, and information relating to the activity performed on company systems may also be processed, if relevant for IT security, incident management, and audit purposes
     
     
3. PURPOSES AND LEGAL BASIS
   Personal data will be processed by the Data Controller for the following purposes, in accordance with the corresponding legal bases established by Regulation (EU) 2016/679:
   • Performance of the contract
     Processing necessary for the performance of a contract to which the data subject is a party (Article 6, paragraph 1, letter b) of the GDPR), in particular to:
     • manage the contractual conditions signed with the supplier
     • verify the effective provision and quality of the agreed services or supplies
   • Compliance with legal obligations Processing necessary to fulfill obligations under applicable regulations (Article 6, paragraph 1, letter c) of the GDPR), in particular:
     • to fulfill tax, accounting, administrative, and regulatory obligations related to the service received;
     • to comply with occupational health and safety obligations, where applicable.
   • Legitimate interest of the Data Controller
     Processing necessary for the pursuit of the legitimate interests of the Data Controller (Article 6, paragraph 1, letter f) of the GDPR), including:
     • protecting its rights in the event of disputes or complaints;
     • monitoring the performance of the supplier and the services provided, with a view to ensuring adequate quality standards.
     • ensuring the security of infrastructure and information systems, including through logging, access tracking, incident management, and analysis of anomalies or non-compliant behavior
       
       
4. SCOPE OF COMMUNICATION AND RECIPIENTS
   The data will be communicated to the minimum extent necessary to achieve the purposes, based on applicable legislation and/or a contractual agreement with the Data Controller, to:
   • internal personnel authorized to process data for:
     • technical, commercial, and administrative services
     • audits and supervisory activities (for example, Supervisory Body (SB) activities and internal audits aimed at maintaining and improving management systems)
   • suppliers of services related to and/or consequent to the agreed services, who act as Data Processors, such as:
     • industry professionals
     • companies responsible for the maintenance of information systems and software
     • companies responsible for providing administrative, organizational, and legal consultancy
     • consulting firms for health and safety in the workplace during contracted activities pursuant to Article 26 of Legislative Decree 81/08 and subsequent amendments. and Head of the Prevention and Protection Service
     • Group companies that provide ancillary and support services
   • Third parties acting as Independent Data Controllers, such as:
     • Public authorities, to the extent required by applicable law or by their orders, or for the exercise, establishment, and/or defense of legal claims
     • Banking institutions, insurance companies, certification bodies, etc. that provide ancillary support services
       
       4bis. SUPPLIER’S INFORMATION OBBLIGATIONS REGARDING PERSONAL DATA PROTECTION
       The supplier undertakes to promptly notify the Data Controller of any event relevant to the protection of personal data, including: contractual changes that impact data processing; anomalies, critical issues, or breaches encountered in the provision of services; reports of complaints, privacy incidents, or data breaches; and changes in subcontractors involved in the processing. Such communications must be addressed to the Privacy Officer at the contact details indicated in this policy.
       
       
5. NATURE OF DATA PROVISION AND CONSEQUENCES OF REFUSAL TO PROVIDE IT
   The provision of personal data is necessary for pre-contractual measures, the conclusion and proper performance of the contract. Any refusal to provide the requested Personal Data will make it impossible to initiate or continue the commercial or professional relationship and the activities envisaged therein
   
   
6. DISSEMINATION OF DATA
   The data will not be subject to dissemination, except as required by law or necessary for the exercise of a right. No fully automated decision-making process is envisaged. However, with regard to IT suppliers, technical monitoring tools may be activated for IT security and incident prevention purposes
   
   
7. SOURCES
   The data subject to processing may be acquired through a contact person of the Supplier, and may be transmitted and processed following the order.
   
   
8. DATA TRANSFERS TO THIRD COUNTRIES
   Personal data is managed and stored on servers located within Italy, including through cloud services located in Italy. The personal data provided will not be transferred to third countries, i.e., outside the European Union or the European Economic Area. Any future transfers to third countries will be subject to prior notice to the data subject and will occur exclusively in compliance with the lawfulness conditions set forth in Articles 44 et seq. of Regulation (EU) 2016/679 (GDPR)
   
   
9. DATA RETENTION PERIOD
   Personal Data will be processed for the time necessary to fulfill the aforementioned purposes. Administrative and supporting documentation will be retained for at least ten years from their issuance, unless specific regulatory obligations require longer retention periods
   
   
10. DATA SUBJECT RIGHTS
    Within the limits of applicable law and pursuant to Articles 15 et seq. of Regulation (EU) 2016/679, the data subject has the right to access his or her personal data, request rectification or erasure, object to processing, request restriction of processing, and obtain the data concerning him or her in a structured, commonly used, and machine-readable format. Requests may be addressed to the Data Controller at privacy.ind@fcr.it and will receive a response within 30 days of receipt, which may be extended by an additional 30 days in cases of particular complexity, pursuant to Art. 12, paragraph 3, of Regulation (EU) 2016/679. Where applicable, the data subject also has the right to lodge a complaint with the Italian Data Protection Authority (Garante per la protezione dei dati personali) or to take legal action